Spanish police arrest 3 in PlayStation Network hacks

Spanish police this morning say they have arrested three involved in the hacking of Sony's Playstation Network, which lead to Sony shutting down the PlayStation 3's network for a month, locking nearly 80 million gamers out of playing online.

All three were freed without bail pending formal charges. The New York Times reports that they are expected to be charged with "forming an illegal association to attack public and corporate Web sites, a charge that faces a potential sentence of up to three years in prison."

"Spanish Police dismantle the #Anonymous hacker group in Spain. They attacked #Playstation Store," they wrote on their official Twitter feed early this morning. "Police arrested 3 #Anonymous leaders in Barcelona, Alicante & Almería. They attacked governments of Egypt, Algeria, Libya, Colombia...

"#Anonymous has thousands of 'zombies' computers infected all over the world."

The New York Times reports that according to police one of the hackers had "harbored a computer server in an apartment in the northern port city of Gijon, from which the group attacked the Web sites of the Sony PlayStation online gaming store."

It is not clear if the three were the only ones suspected of being responsible for the massive hack attack or if this is the beginning of a series of arrests.

Spanish police say the three are also connected to hacking attacks on banks BBVA and Bankia, utility ENEL and the governments of Egypt, Algeria, Libya, Iran, Chile, Colombia and New Zealand.

The investigation by Spanish police in October 2010 after a denial of service attack was carried out on the country's Minister of Culture website.

Anonyops, a site often used for public statements from the group, had no comment posted about the arrest. The official Twitter feed for the group had this to say:

"Dear @policia, Expect us. #Anonymous."

The organized hack attack forced Sony to shut their Playstation Network, Qriocity and Sony Online Entertainment services down and resulted in theft of personal data from millions of users. Some experts have said it is the largest hack attack in history.

The attack spurred the government's of countries around the world to look into the timing of Sony's customer notification. According to Sony's own timeline, released to congress as part of a response to their questions earlier this week, Sony first discovered the breach on April 19, but didn't realize data had been taken from the servers until April 20. The company publicly notified customers of the stolen data on April 26, a day after three private security firms hired by the company confirmed most of what had been stolen.

The arrests come days after FBI arrested a man whom they say is a member of hacker group LulzSec, accusing him of being involved in the attacks on Sony BMG, Sony Pictures and Nintendo USA's website.

We have contacted the FBI, who is conducting the investigation into the attack in the U.S., and Sony for comment and will update this story when they reply.

well depends on how you look at it. To me if these guys didn't publicize what they did..You would have never known...and sony wouldn't be forced to change their insecurities.

If they didn't do it (hack them), someone else would and I can almost guarantee you just about anyone else that was doing it would not be trying to warn sony of their insecurities...they would be doing it for personal profit. people should realize this and the importance of the difference...the fact that they posted it publicly makes all the statement...regardless of the way they choose to word it.

"Now until more information is revealed on the technicals, I can only speculate, but I bet Sony's arrogance and misunderstanding of ownership put them in this position. Sony execs probably haughtily chuckled at the idea of threat modeling. Traditionally the trust boundary for a web service exists between the server and the client. But Sony believes they own the client too, so if they just put a trust boundary between the consumer and the client(can't trust those pesky consumers), everything is good. Since everyone knows the PS3 is unhackable, why waste money adding pointless security between the client and the server? This arrogance undermines a basic security principle, never trust the client. It's the same reason MW2 was covered in cheaters, Activision even admitted to the mistake of trusting Sony's client. Sony needs to accept that they no longer own and control the PS3 when they sell it to you.

Notice it's only PSN that gave away all your personal data, not Xbox Live when the 360 was hacked, not iTunes when the iPhone was jailbroken, and not GMail when Android was rooted. Because other companies aren't crazy.

Click to expand...

Basically Sony is mad about people hacking their console because the only real security is the console itself...they have no intermediary security. Again how come there is no real risk to M$ when I play modded games on my consoles on XBL? Because as much as you never hear me throw a big up to M$, I have to admit they have XBL setup as securely as it can get with out ruining the gaming experience.

Sony should have been worrying about fixing the insecure method for ps3/psn connections and not stopping the inevitable (someone hacking their console) thinking because 1 person was stopped no one else is going to want to hack up the expensive ass unit they bought and own. They are accusing GH of circumventing their security. That would be like saying I want to keep a million dollars safe...so I am going to leave it in plain site in a big glass house and surround the house with rocks.

well depends on how you look at it. To me if these guys didn't publicize what they did..You would have never known...and sony wouldn't be forced to change their insecurities.

Click to expand...

That's still no excuse. That's like saying "The bank was robbed, but it's ok, because the individuals doing so did so to expose vulnerabilities". Nuh huh, it don't work like that

I don't hold Sony irresponsible here by any means. They were warned that they were vulnerable, they did nothing (in the short term) to fix it, but you can't simply just "fix" something that huge in a matter of months. It has to be planned out, orchestrated, and put together. It's not just "do it now or else".

Giving a mere 3 year sentence (which they won't get because it's the max) is a slap on the wrist. These idiots stole (unlawfully obtained) personal information, including passwords, bank accounts, credit card information, phone numbers, addresses, etc. If they even get 3 years, it's like saying "Hey, we accept this kind of action, it's ok to do this".

That's still no excuse. That's like saying "The bank was robbed, but it's ok, because the individuals doing so did so to expose vulnerabilities". Nuh huh, it don't work like that

Click to expand...

You can't compare the two because if you examine the essence of my examination of what actually happened and what your hypothetical comparative it basically doesn't compute...people rob banks to profit. The people who hacked the network showed an obvious lack of security measures taken from the get-go in the psn network...and the did not make money and notified publicly so something would be done about it. They exploited obvious and lax (in)security measures only to find that they could recover passwords in unencrypted plain text. PSN accepts credit cards so they must be in compliance with PCI standards. example

Bank robbers ( try to) get away and say nothing...they don't make posts on the web indicating that they have robbed a bank and how they did it. They keep the bounty, keep their mouths shut and continue acting like everyone else. They don't tell everyone their plan because they want the exploit to remain insecure.

I don't hold Sony irresponsible here by any means. They were warned that they were vulnerable, they did nothing (in the short term) to fix it, but you can't simply just "fix" something that huge in a matter of months. It has to be planned out, orchestrated, and put together. It's not just "do it now or else".

Click to expand...

Their method was insecure from the first place. You can't rely on a console that someone else owns to maintain the security of your network...they ignored that a long time ago...months is an understatement, being public about it was a way to stop what may have also happened many times in the past.

Giving a mere 3 year sentence (which they won't get because it's the max) is a slap on the wrist. These idiots stole (unlawfully obtained) personal information, including passwords, bank accounts, credit card information, phone numbers, addresses, etc. If they even get 3 years, it's like saying "Hey, we accept this kind of action, it's ok to do this".

Click to expand...

Saying they are idiots allows me to say any idiot could have obtained my info from sony and infact I have my info on their system for multiple reasons. Again sony should observe obvious security standards and recognize that they do not own your console once you purchase it therefor can't be the primary security feature.

.people rob banks to profit. The people who hacked the network showed an obvious lack of security measures taken from the get-go in the psn network...and the did not make money and notified publicly so something would be done about it.

Click to expand...

wrong answer
Had they done this to 'not make money', they wouldn't have taken (and offered to sell in multiple areas) individual financial information .

Their method was insecure from the first place. You can't rely on a console that someone else owns to maintain the security of your network...they ignored that a long time ago...months is an understatement, being public about it was a way to stop what may have also happened many times in the past.

Click to expand...

They were informed MONTHS ago (not years) that their software was vulnerable.

Saying they are idiots allows me to say any idiot could have obtained my info from sony and infact I have my info on their system for multiple reasons. Again sony should observe obvious security standards

Click to expand...

Where have I EVER said otherwise? Go on, show me where I've said otherwise.
So, by your analasys (again):
I was robbed 4x last year between January and June. The first time, they got in through the kitchen window, because the window was not possible to be locked properly. After that, they busted through my AC, once again through my window, and once mysteriously (still tryin to figure that out). You're saying, again, that they were simply 'trying to improve security'? Same with every OTHER apartment they robbed in the complex during that time? Think again. No, this was all about greed, as was the hacks. It's the SAME DAMN THING. Greed and recognition.

and recognize that they do not own your console once you purchase it therefor can't be the primary security feature

Click to expand...

And here we get to the REAL reason that they were 'hacked'. It had nothing to do with "security", it had everything to do with some kid not liking Sony's policies (ie: them telling you you can't put some other OS on the system). Sony took away their toys, Anonymous fired back by hacking the system. AMAZING isn't it that they threatened to do this BECAUSE of this, yet every fanboy is claiming "ooh, they did it to force Sony to improve security"..... Sorry, incorrect. They DID this (and they publicly stated this) in retaliation for what Sony did to remove the ability to install OtherOS. That's all. It's got nothing to do with forcing anyone to be 'more secure', or they would have done this much, much sooner.

These kids are idiots, pure and simple. They deserve a MUCH harsher sentence than 3 years, but they'll get a slap on the wrist instead. They deserve to be made examples of, totally and completely.

They were informed MONTHS ago (not years) that their software was vulnerable.

Click to expand...

It is not the software...they rely on my ps3 to maintain the security of the software..so in reality it is probably a lack of some middleman software that is the problem. In the end it is common network practice to not trust and rely on client end to maintain the security. Also they should know that the data for gaming/applications and billing should be separate servers...that is obvious.

Where have I EVER said otherwise? Go on, show me where I've said otherwise.
So, by your analasys (again):
I was robbed 4x last year between January and June. The first time, they got in through the kitchen window, because the window was not possible to be locked properly. After that, they busted through my AC, once again through my window, and once mysteriously (still tryin to figure that out). You're saying, again, that they were simply 'trying to improve security'? Same with every OTHER apartment they robbed in the complex during that time? Think again. No, this was all about greed, as was the hacks. It's the SAME DAMN THING. Greed and recognition.

Click to expand...

Did the robber knock on your door and offer you assistance to secure your place like these guys
I didn't think so.

And here we get to the REAL reason that they were 'hacked'. It had nothing to do with "security", it had everything to do with some kid not liking Sony's policies (ie: them telling you you can't put some other OS on the system). Sony took away their toys, Anonymous fired back by hacking the system. AMAZING isn't it that they threatened to do this BECAUSE of this, yet every fanboy is claiming "ooh, they did it to force Sony to improve security"..... Sorry, incorrect. They DID this (and they publicly stated this) in retaliation for what Sony did to remove the ability to install OtherOS. That's all. It's got nothing to do with forcing anyone to be 'more secure', or they would have done this much, much sooner.

Click to expand...

They were told privately sooner...they did not listen as most companies don't as the security heads take offense when some like you said idiot comes in and pisses on their parade.

These kids are idiots, pure and simple. They deserve a MUCH harsher sentence than 3 years, but they'll get a slap on the wrist instead. They deserve to be made examples of, totally and completely.

Click to expand...

If you insist these are kids and idiots I must insist that sony is in fact responsible for making it so easy a caveman could do it.

As harsh as you say these "idiots" penalties should be...I think regardless the level of their penalty sony should be held to a 10th degree higher than that as they are responsible for the security of their customer database and no one else.

The group that posted publicly was not trying to make money...you must be confused.

It is not the software...they rely on my ps3 to maintain the security of the software..so in reality it is probably a lack of some middleman software that is the problem. In the end it is common network practice to not trust and rely on client end to maintain the security. Also they should know that the data for gaming/applications and billing should be separate servers...that is obvious.

Did the robber knock on your door and offer you assistance to secure your place like these guys
I didn't think so.

They were told privately sooner...they did not listen as most companies don't as the security heads take offense when some like you said idiot comes in and pisses on their parade.

If you insist these are kids and idiots I must insist that sony is in fact responsible for making it so easy a caveman could do it.

As harsh as you say these "idiots" penalties should be...I think regardless the level of their penalty sony should be held to a 10th degree higher than that as they are responsible for the security of their customer database and no one else.

Click to expand...

No, they were just trying to have a large e-peen.

Stop justifying their actions, because these groups want nothing more than publicity and time in the lime light. They're not cracking servers or exploiting for any just cause, they're doing it because its entertaining to them, nothing more and nothing less.

I am not justifying it if you read my postings carefully, I am not saying what they did was the proper way to handle it. What I was suggesting is that name calling of them is not going to do anything except add needless banter to a heated topic. They are assuming responsibility for their actions the minute they set them in motion. If they get time, they get time. They will man up and do their time if that's what it comes to as they as people who know what they were doing it would appear and would also know the consequences of getting caught and also the ramifications of publicizing it.

On the hand of sony it is their responsibility as a profiteer in online sales and account management to secure the data of their users and comply with the standards set forth here.

Whatever the reason my point is when the people who can make the place more secure ignore the help it ends up turning into a joke.

Either way if they found sony was in fact not complying with the standards they could have anonymously contacted the group who sets them. They are accountable for their actions but sony is as well. To call them idiots is to definitely to call sony even stupider for giving the 'idiots' a place to play. I am not favoring either.

The group that posted publicly was not trying to make money...you must be confused.

Click to expand...

Which is why they were offering to sell the credit card and other financial information they obtained, as well as their list of other information, right? Yeah, think again.

It is not the software...they rely on my ps3 to maintain the security of the software..so in reality it is probably a lack of some middleman software that is the problem.

Click to expand...

And you say I need to read up on the thing, or that I'm confused. Think again.
This hack was a direct result of outdated, unpatched software, which they were informed about months ago (not years). For starters, their webservers were running old versions of apache, which have huge vulnerabilities, and pretty pathetic firewalls. This is LESS about 'relying on the ps3', and more about proper update practices.

As harsh as you say these "idiots" penalties should be...I think regardless the level of their penalty sony should be held to a 10th degree higher than that as they are responsible for the security of their customer database and no one else.

Click to expand...

The blame here is 50/50.
Sony, absolutely is responsible for maintaining security of data and ensuring it is PCI complaint. OBVIOUSLY, they failed. No question, no doubt, Sony SHOULD be hit with the max fine eligible for each account who's financial information was stolen.

This does NOT excuse, or absolve these idiots, however. Yes, the door was open, but that doesn't mean they have the legal right to just walk in and steal personal information.

Did the robber knock on your door and offer you assistance to secure your place like these guys

Click to expand...

Well, the person assumed to be the robber did, numerous times, even shoved a gun in my face at one point. Irregardless, whether the person offered to do so or not (and they did not), this does not excuse the action of some power/fame hungry idiots that merely wanted attention. Blackmail is not acceptable in any part of the world, period, nor is theft.

To call them idiots is to definitely to call sony even stupider for giving the 'idiots' a place to play.

Click to expand...

Sony was not given the appropriate time/warning to address the situation. You realize that the service was down for over a MONTH just so they could fix the problem, right? Think of how long it would have taken for them to do this with the service UP!

This is more in depth than your silly little PS3. This affected SOE, this affected EVERY Sony website. A MAJOR security overhaul was necessary, and you just can't DO that in a matter of 'a few months'. It's not feasible.

WrongI'm not favoring either. I've said from day 1 that Sony is equally responsible here.You ? No, no, you definitely give these idiots a pass. Yes, they're idiots. Yes, they did it for profit (educate yourself, they DID offer to sell the information, they DID make it public), they did it for greed, for recognition. You simply ignore all of this and pretend they're 'ok'. They're not.

The reality here is very, very simple. So simple in fact that I'll use the same analogy I did before.
Leaving your door unlocked when you're not home is stupid. It's beyond stupid, especially in this day and age.
Walking INTO someone's house and taking their stuff is just a bit more stupid. Not only is it stupid, but it's ILLEGAL to do.
It's NOT illegal to leave your door unlocked, it IS illegal to take something that doesn't belong to you.

Well, the person assumed to be the robber did, numerous times, even shoved a gun in my face at one point. Irregardless, whether the person offered to do so or not (and they did not), this does not excuse the action of some power/fame hungry idiots that merely wanted attention. Blackmail is not acceptable in any part of the world, period, nor is theft.

Exactly

Click to expand...

Wait....someone broke into your house and held you at gunpoint and told you what you needed to do to secure your place from these attacks? And how is a home invasion even related to accountability and non complience with web standards and others persons information and property?

Either way if some idiot as you say was able to get my information from sony that easy that an idiot could do it then I am glad they did it now and sony will have to (I assume) fix security or get shut down. It's a done deal.

As for the blame being on Sony's IT, while they should have made management aware of the risks of the system (We can't say they have or have not), IT departments are almost always limited in what they can due by management.

As for the blame being on Sony's IT, while they should have made management aware of the risks of the system (We can't say they have or have not), IT departments are almost always limited in what they can due by management.

Click to expand...

Exactly.
This kind of stuff always goes up the chain of command. You wonder why it takes so long to resolve it? Well, because you have to actually plan to do this stuff, you don't just throw it out there and say "we'll fix this". No, no, you plan to do it, and that planning has to be approved by those at the top.

I'm not favoring either. I've said from day 1 that Sony is equally responsible here.You ? No, no, you definitely give these idiots a pass. Yes, they're idiots. Yes, they did it for profit (educate yourself, they DID offer to sell the information, they DID make it public), they did it for greed, for recognition. You simply ignore all of this and pretend they're 'ok'. They're not.

The reality here is very, very simple. So simple in fact that I'll use the same analogy I did before.
Leaving your door unlocked when you're not home is stupid. It's beyond stupid, especially in this day and age.
Walking INTO someone's house and taking their stuff is just a bit more stupid. Not only is it stupid, but it's ILLEGAL to do.
It's NOT illegal to leave your door unlocked, it IS illegal to take something that doesn't belong to you.

Click to expand...

speaking of that you should fix that window you were talking about before...apparently your safety depends on it eh?

As for the blame being on Sony's IT, while they should have made management aware of the risks of the system (We can't say they have or have not), IT departments are almost always limited in what they can due by management.

Click to expand...

True and the sad thing is that the management will most likely go away with it while elsewhere heads will roll.

As much as I think Sony deserved a lesson for their arrogant attitude and all the epic fails in the past, the hacking attacks are the wrong way, because not only Sony suffered but also millions of more or less innocent customers.

A lot of humans deserve hell on earth for being murderers/rapers/child abusers and what not. Still, you can't get a gun and shoot them into the face (well, you can, but you'll not simply walk away without facing consequences).

Not purchasing anything from them is a method that should work equally well and has the advantage of being perfectly legal.

No matter how you try to say it, what they did is wrong. If you were told that if you robbed a bank and get caught, you would only serve 3 years. Would you do it? Most of us would not based on moral grounds, but you can guarantee thousands of others would. What is 3 years when you have hundreds of thousands of bank accounts, passwords, usernames, etc...

Not purchasing anything from them is a method that should work equally well and has the advantage of being perfectly legal.

Click to expand...

Exactly.
Some of the stuff I had taken from me last year was gaming stuff (PS3, 360). I'd always had it in the back of my mind to replace the PS3 (eventually). Now? You couldn't get me anywhere near a PS3 after this debacle. Same with other Sony products. The first thing I did when I got access back (a couple weeks ago) was login and delete everything, make the info that was mandatory fake. I still have a few Sony products (BRD, stereo, psp), but you can bet those won't be replaced with Sony products when they retire.

Exactly. What Sony did was wrong, but, simply using them as an excuse to do something like this is wrong as well.
Which is more 'wrong'? It's a tough call, however, as I said earlier, the state of Sony's security, while wrong is not illegal. The same can not be said about hacking into computer systems, obtaining information, offering to sell it. That is 100% illegal.